Negotiate with Hackers? Never! (Or Best Offer)

Episode Resources:

• Resilience Cybersecurity & Data Privacy
• M-Trends 2022: Mandiant Special Report
• Verizon Data Breach Investigation Report (2022)
• Cost of a Data Breach Report – IBM (2022)
• State of Ransomware – Survey and Report (2021)
• Conti Ransomware Group Diaries, Part I: Evasion – Krebs on Security
• The ransomware business is complicated, ruthless and growing fast – The Economist
• What to expect when you’ve been hit with Conti ransomware – Sophos News
• Ragnar Locker Gang Warns Victims Not to Call the FBI – threat post
• Lawyers Urged to Stop Advising Clients to Pay Ransomware Demands – info security Group
• Russia Sanctions Complicate Paying Ransomware Hackers – Wall Street Journal

Episode Transcript

Brian: Thanks for joining us on the Fearless Paranoia podcast here. We are demystifying cybersecurity to help you better defend against and recover from cyberattacks. I am Brian, the cybersecurity attorney.

Ryan: and I am Ryan, a cybersecurity architect and threat hunting specialist.

Brian: All right, Ryan. Since we were last discussing ransomware, we’ve gone through ransomware 101. We’ve also gone through kind of what it really means and how ransomware really works in computer systems. Today, we’re going to talk about maybe a touch your subject, but kind of the business side of ransomware. First things first, we’re going to dispense with this notion that ransomware infections are some kind of shot in the dark, right, that these hackers are just flinging things around seeing what little things stick that may have been true, even as recently as 10 years ago, it’s not anymore, as we discussed in previous episodes, ransomware the locking of your data and demanding money to let it go is the last stage of a complex compromise, not the first. So no matter how you decide to approach this idea of negotiating ransom, you need to assume that the ransomware gang knows a lot about you. And how they got the information varies widely from group to group, for example, recent hacks of the Conti ransomware group shows they do thorough research through publicly available information to determine your company’s annual revenue and actually based their ransomware demands on that number, they can also learn a lot by sifting through your own systems. So what we come down to is you’re going to be presented with a choice, when you get that ransom demand, you know, maybe your systems are great enough, and everything is so heavily encrypted, that you know, they couldn’t have possibly gotten your confidential data, you backup freely, and you get to forget about this whole thing. That would be amazing. But the reality is, for most small and medium sized businesses, you’re going to be put to a choice, negotiate or don’t. And we’re going to assume that for you payment is an option. If you don’t have the money to pay the ransom, you’re not making a choice, you’re dealing with the consequences. So assuming that you do have the money to pay a ransom, even if it’s not the initial demand, your next question is to negotiate or not. Now, we’re not here to answer that question for you simply because you can’t answer it for anyone but yourself. No one fully knows your situation. And so what we’re here to do is kind of describe the process when it comes to negotiating with ransomware gangs. So Ryan, you being the IT specialist in between us talk about what it means when you’re negotiating, what are the technical aspects when someone presents you with a ransom saying that they have your data.

Ryan: So it’s an interesting spot to start at prime because it means a lot of different things to a lot of different people. But it does mean a couple of concrete things. First of all, something is apparently happened in your company that you were underprepared for. And again, you can always be prepared, some of these attacks originate at the zero-day level where there is no available patch, there is no available defense. And it’s, it’s something that you just need to deal with. But what you do know at the initial stages of ransomware, is some of your system has already been infected by external forces, you’ve got either a piece of software or a script or a system that has been unleashed inside your network, either because a ransomware actor has already gained access to your network or because they have somehow used some method, the drive by social engineering, etc, to convince one of your users to either knowingly or accidentally unleash this upon your network.

Brian: So the first thing that you’ve learned by having this legit ransomware exposed, I mean, I’ve gotten emails in the past that imply that hackers have come in and taken my data or have video of me or whatnot. And I always kind of laugh what I’m saying, Okay, you sent that to me via an email, whatever. But when a real ransomware that comes up, one of the first things, obviously, you know, is that at some point, you had a vulnerability that was accessed, right?

Ryan: Yep, absolutely, there was some sort of automated tooling that was that was run against your system, taking advantage of some sort of exploit that allowed it to operate with elevated privileges enough, so to be able to encrypt portions of your network.

Brian: And when it comes to ransomware, we’re going to discuss this in a later episode. But there’s a difference between traditional ransomware and what’s now double, triple and quadruple, and however any more iterations of that you can come up with extortion, one of which involves locking up your data locally, and the other involves probably that and exfiltrating some of your data out as well, when they’re looking at your system and just locking up your system, then all we’re really talking about negotiation is unlocking your system, right? 

Ryan: Correct. I think and this was in the early days of the ransomware. You know, the ransomware problem that was it was more exactly that that type of scenario where you either picked it up through a drive by or through an email and the whole purpose of it was to lock up your system. them enough to be a big enough inconvenience to warrant getting some money out of you with the intention of providing the service of unlocking this afterwards, because that would open up, like you said, those second stage third stage opportunities for extortion because if they don’t unlock it, you’ve broken that funny enough to call it this, you’ve broken that trust barrier. If they do follow through in the end, even though it wasn’t a service that you wanted, intended or ever plan to pay for, they still did offer you the service, and they gave you back your right. Um, so you may think, okay, cool. So I paid this ransom, and everything is fine. Again,

Brian: But then the concept that double extortion when they’re actually exfiltrating data, you’re now negotiating over two things. At least one is what’s done with your system, assuming that they probably lock up some portion of your your business’s operating system, and to what is done with this data. Talk about what does it mean, when you’re talking about this data they’ve taken?

Ryan: Yeah, I think what you’re getting to now as you’re getting the what’s becoming more prevalent that most of these ransomware actors aren’t operating alone, like they had in the past, where it was easiest to just take advantage of the lowest hanging fruit, the most exploitable systems, make a quick buck walk away from it, maybe come back later if you got the opportunity to reinfect. But there was no real guarantees in it. And all you were doing was making a fast dollar fast buck, they started to realize later that there was opportunities beyond that as well not just in the ability to extort at the different levels, like you said, first of all, for the actual encryption key to unlock the system and allow you to operate, you know, your your business again. But the second stage where Okay, now we’ve exfiltrated data that’s really sensitive to your business, now that we’ve unlocked you and you’re operating. And we want you to know we’ve got this and we’re going to publish it. And so now you got to give us even more money to keep our mouths shut at that stage, you’ve already kind of again, eroded that trust barrier. But now they’re working extra hard to try and not just get the quick dollar out of you, but as many as they can before moving on to the next one. And stepping into that data exfiltration stage is also something that’s more worrying because it’s not purely an attack usually done from the from the outside in as some of the early ransomware is where they just encrypted, your system walked away and had you contact them to to finish that exchange. In a lot of cases where they’ve done data exfiltration, usually what you have is some sort of infiltration, which means they’ve got access into your network through some means. And chances are if they do that, there’s probably also a persistence mechanism in place somewhere as well to make sure that not only do we just get access to the system and have the ability to exfiltrate data, and then maybe later encrypt and go through this whole negotiation chain. But once you get through that whole negotiation chain, if they get money out of you 1234 different times but still have persistence into your system, all they need to do is choose the timing that they want. And they can reset that whole negotiation chain back to stage one again, and then start the whole process over. And so becomes becomes that much more critical that as you go into negotiations that you trigger some sort of response mechanism to really deal with the fact that there could be much more to this and there could be much thicker layers involved and what are readily visible right at the time of the panic when that starts.

Brian:   You’re listening to the Fearless Paranoia podcast for more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms.

Brian: So let’s say you know as a small business, you’re attempting to make the decision whether or not you’re going to negotiate now Key among all of the factors in there is a Do you have the funds to pay anything that you negotiate to begin with? B? Do you have a true way of negotiating with these hackers to see how much and what day to day have the situation operates with a carrot and a stick? And the stick they have is the data they’ve taken from you? Is there a way to really know how much they have and what they have. Because obviously, if you know what they have, your bargaining position is much stronger in at the very least in as much you know exactly what kind of information would be released.

Ryan: Without trying to make this part of the conversation sound too dark, that’s it usually gets to be a little bit tough to make the determination of exactly what it is they’ve had or what it is they have access to not necessarily in the end because I think at the end, usually you can piece together enough of that whole story to get a good idea of where they’ve been in what they’ve taken. The problem is is most of these ransomware attacks come with a timeframe attached to them that enforce compliance or negotiations do occur within usually a short period of time so that they’re not sitting here with these long cases drowned out because the longer they give you to react to this the better opportunity you have of either determining that you don’t need to pay the ransom or that you find a way to counteract Whatever the means are that they put in place. By keeping that time that timeframe that window short, they force you to respond in a more prompt and usually more aggressive manner, which usually works well in their favor. However, with enough time, I think it is definitely possible for most good forensics seems to be able to dig into the systems and really start tracking down a lot of the movement in and out of the systems. The problem is, is it takes a significant amount of time and most businesses outside of the largest of enterprises don’t have that type of monitoring and log collection and log aggregation in place to be able to make those type of searches efficient and timely. In most cases, you would need to go system by system pulling images and then going through the images with, you know, your forensics comb, basically, to try and look for indicators of compromise points of infection, and then points of spread throughout the systems to kind of piece together a timeline. And again, doing that inside of the typical 72 to 96 hour time frame that a lot of ransomware actors really give to respond gets to be not impossible, but it follows challenging at best, yeah, highly improbable that you’ll be able to pull that off in that timeframe, unless again, you’re talking about a large enterprise or an extremely advanced managed service security provider that has that kind of logging in place and has the experience enough to identify and track down that whole that whole Kill Chain and ransomware hate chain fast enough to make those kinds of determinations inside of that window where you still have the opportunity to negotiate.

Brian: So it sounds like and I do know that we’ve seen from several different brands, work groups, they’ll give you example files, they’ll post content. Ransomware, for example, had a whole URL set up as their dumps where they would put the documents from businesses who failed to pay the ransom. And they would set up a private page with a couple of documents that they assumed would be among your more important as sort of a for lack of better way of putting it proof of concept or proof of life showing. And then they’d kind of give you an idea of what folders and what types of documents they’d taken. Is that something that you think businesses can rely on as to examples of the information has been taken?

Ryan: I think that’s one that we’ll have to take with a grain of salt no matter what I’d say yes, and no, yes, I think that if they show you proof of your files and give you a couple unencrypted copies of the files, it definitely proves that there was some level of data exfiltration, which means that they in their possession have some level of data. The problem is, is unless they show you independent, unique data in those few examples from multiple different sources that you can attribute to only existing in certain locations, it’s going to be hard for you to make a determination of what the level is of their actual impact as far as the exfiltration. Because let’s say they were able to get as far as impacting one single endpoint at your company of 3000 people, that person has access to a few really secure files, maybe they grabbed your CFO. So they’ve got a couple of accounting files, they can show you that are current, and all of a sudden you think, Oh no, they’ve got everything in our system, well, they might have only gotten access to your CFOs actual workstation or account and might be limited as far as access to what that user or that system had available to it. But they could play that off as we have pulled data from your entire network. And it comes down to trusting the word of a thief is really what it is. And so to me, I would say yes, I think that there’s some level of confidence that they can prove that data. exfiltration was a piece of that puzzle. But I think with the way that they scoped that down, it becomes really challenging to identify how far that scope really extends, unless you’ve got the proper monitoring in place to really be able to detect, okay, we know that this quantity of data went through this specific place. And we tracked how much data left at that point. Because again, if a couple Meg’s of data transferred across a connection to a bad known IP that you can find related to this incident, then maybe they’ve got just those few files or a few, you know, a few critical but not widespread, you know, access to those files. Instead, you could go back and look at those logs and see gigabytes, terabytes of data being transferred over to bad known IPs. And then it’s probably pretty safe to say that you’ve got massive exfiltration that’s occurred. But again, I’m much more apt to say trust the data before you trust the word of someone who’s trying to take advantage of you because they’re going to do their best to employ whatever techniques are required to get that from you most of those being technical, but in most cases, they’ve also never shied away from social engineering, since in a lot of cases that seems to be almost as effective as as going to technical exploits.

Brian: So it sounds to me from a technical side, even if you can’t get a full forensic analysis of your systems to find out what data has been taken. You need to do everything in your power with this short amount of time, you’ve got to find out whether business critical data has been taken before you mean the decision to negotiate may come down entirely to whether or not you can determine what data has been taken and that if you can, whether that data is important enough to negotiate over sounds that sounds about right.

Ryan: Yeah, absolutely. And that’s why I think it’s really important not just to have those conversations during that window But right now, I mean, I think it’s a good time with how prevalent is becoming for all businesses to sit down and kind of have that come to a realization meeting of what data of theirs is super critical, what data is highly critical. You need to go through and classify your assets and classify your different data and make that determination of if there were to be some sort of major impact to us, whether it’s data exfiltration and somebody hijacks your data, or whether somebody just ransoms your data, you know, encrypts it, what if somebody just wipes the data? You know, it’s there’s a lot of destructive malware out there nowadays that just goes through, it just blows systems away just for the sake of blowing it up. What would you get at what are you going to do without that data and use that as kind of a gauge of how critical it is to you and then you need to make sure that you have resiliency just built into the planning for all of that data to prevent against these things. Because these will continue to happen. They’re getting harder and harder to avoid with more zero day exploits showing up quite frequently on the on the web. And you know, this is going to happen to a lot of businesses. And really, the only way to truly be safe from it is to be resilient from it not to be defensive against it.

Brian:   You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or Twitter. For more information about today’s episode, be sure to check out Fearless Paranoia.com We’ll find a post for this episode containing links to all the sources research information that we have cited to you. And also check out our older posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show. 

Brian: The other interesting part about the question of whether to negotiate is that you’ve got the technical side of it, you’ve got the data that they’ve locked up, you’ve also got the data that they’ve stolen, are you able to get back or operate without the data that’s been locked up? Are you capable of withstanding the issues if that data is sent public, there are business and legal consequences that you have to throw in as well. The technical side of it is one thing but in electing whether to pay or not, you can go to the cops. In fact, you probably should there play ransomware groups that are now coming in saying that if you report anything to the police, or if you bring in a negotiator, they will immediately consider that a rejection of the ransom and publish whatever. There are plenty of others who will prefer to deal with the negotiator. But the cops will tell you don’t pay the ransom, because paying the ransom incentivizes people to, you know, continue sending ransomware out and continue using it and continuing to exploit businesses and people all over the world. Sure, they’re also going to understand if you elect to pay it with certain limitations. For example, North Carolina has recently passed a law saying that no state county or municipal organizations are allowed to pay any ransom period. Now, in my mind, all that is an attempt to tell ransomware gangs, hey, you’re not gonna get anything from us. So don’t make us a target more than it’s really an actual promise not to pay. But the bottom line is you need to make sure that you have legal counsel advise you of the risks of paying the ransom, if you elect to do so because there are more risks out there than just about whether your data gets published. You may be for example, violating money laundering laws. There also been a whole bunch of laws regarding money transactions into and out of Russia, since Russia invaded Ukraine, he may be violating trade embargoes and financial restrictions. If you pay any of these ransoms, you could also be at risk of being hit with ofac sanctions. Are you able to determine whether there’s a sanctions risk before you make payment, you have to look at your insurance, some of your cyber liability insurance and some of your general insurance will pay for ransom payment. But it depends on the policy and how the ransom was negotiated. So you got to know your insurance. The big one, when it comes to this double, triple and quadruple extortion is your business relationships? Well, you elect to disclose to your clients, customers, vendors, whatever, that you are the victim of ransomware attack, because depending on the data that was taken, you may be required to disclose your breach under state or federal data breach notification requirements. Do you know it was taken Do you know whether you have to notify anybody you may also elect to notify your important clients, customers or vendors early. Doing so allows you to control the narrative. But there’s no universal agreement that you should actively inform your vendors or clients or customers that you’ve been hit with a ransomware attack, especially if you’re not sure that they would ever have to be informed. There’s a lot of really difficult business decisions that you have to make. And then on top of everything else, you have to manage your recovery and the prevention of the disclosure of key information. So even if you’ve paid the ransom, you need to go back and find out afterwards what kind of information was taken, was it confidential information, how much of it was taken, how business critical is it if it’s trade secret information? Are you gonna have to pay the ransom no matter what, because if they publish it, it’s no longer a trade secret. There are a lot of legal considerations to be made on top of the simple question of, even if you pay the ransom, how confident are you that the ransomware gang will not disclose what was taken? Then on the flip side, you know, if you don’t pay the ransom, okay, that’s fine. How good are your backups? How far back do they go? Because ransomware groups are now targeting backups as well. And how prepared are you for that data that was taken to be published? I mean, Ryan, I don’t know about you. But I don’t know if I would lie. No, I would never want to be in the position, I’m gonna make this call. But to me, it feels like such a case by case decision making process that it makes it very difficult for small business owners to do anything other than, like you said, prepare to be resilient.

Ryan: Yeah, no, I completely agree. That’s why I think having disaster recovery, incident response conversations are not something that’s usually very uncomfortable, especially at the smaller size businesses, but they’re critical. They’re critical conversations to have, like you said, discussing stuff like just knowing how much data can you lose and still go back to operating your business? How much time can your systems be down before you stop being able to provide the service or provide the products to your customers and start seeing real business disruptions and how much of your cyber architecture how much of your systems architecture is required in order to meet those objectives? And if any of those pieces of that architecture are a critical component of you being able to return to service effectively from a major outage, you need to play on resiliency, and those systems, not just through things like high availability. So in the case of hardware failure, something goes out, but from a recovery standpoint, as well of what happens if that whole system burns to the ground, whether it’s through ransomware, and then destroying the data or fire in your data center? How are you going to recover those systems? Because again, you know, it’s almost the same type of end goal. And it’s almost the same type of process, when you hit that point of you no longer have access to your data, or you may never get your data back, what are you going to do about it, in order for a business to survive, they need to be prepared to deal with those types of scenarios.

Brian: And probably one thing that I can’t stress enough, from my perspective is to have as many of these discussions have, as many of these factors brought up and argued and weighed and evaluated and negotiated over tabletop exercises before an attack takes place so that when it happens, you can focus your energy on the immediate needs, learning exactly what was taken, instead of debating whether or not you call the cops instead of debating whether or not you inform your clients or your customers, you are going to be pressed for time when this happens. So make sure that you understand and have a pretty good idea of what your negotiating position is going to be. And if it’s conditional, what those conditions are, before any of this ever comes up that way, the resilience on one hand, technically, you’ll be able to get back to business quicker, but on the other hand, you’ll be in a position to have time on your side as much as possible. In my opinion, there is no bigger waste of critical minutes in these situations than having to have all of these debates for the first time after the first ransom demand hits your screen.

Ryan: Yeah, absolutely. The last thing that you want to do is start the conversation in a disaster type scenario with the words I don’t know. That’s gonna be the worst place that you can start with if you have clearly defined processes and procedures, whether or not they’re even complete, at least if you have that plan ahead of time, and you have those core bases covered good backups, multiple backups, and frequent backups are a huge thing that will save you from ransomware and then standard basic hygiene, make sure your systems are getting restarted, patched all of the basics spitballing. And just kind of ballpark 80 plus percent of most of your incidents are exploiting low hanging fruit. As long as you take care of those couple of basic pieces of hygiene, you’re going to go a long way into adding resilience back to your business. 

Brian: Alright, that’s it for us today on Fearless Paranoia. We’re glad you joined us to hear about exactly how terrible your options are when you’re negotiating ransomware, but the key takeaway is be prepared in all context. Being prepared doesn’t mean just being technically prepared, but it also means understanding what you’re going to need to deal with in the event anything’s things happen, training, education, tabletop exercises, they are all critical. Please take a listen to some of our earlier podcasts covering ransomware for additional information on some of the basics for Ryan, our IT specialist. I’m Brian and we will see you next time. Thanks